Linux/Solaris Tips and Tricks

Tips and Tricks for the Linux (and maybe solaris too) platform

airo350 + wpa_supplicant + ndiswrapper

After struggling to get my PCMCIA airo350 wireless card to work with PEAP in NUS for years, I finally caved in and used ndiswrapper. I know, I know, kernel 2.6.17 and above is supposed to support it, but that is for cards with firmware version 5.30.17 "or later". My card is 5.60.x, which is too much later, I guess.

Grabbing the files from Windows XP

So, no choice but to use ndiswrapper. So I boot to Windows, and checked out the files used by the Aironet 350 device (driver properties -> files), and grabbed the files c:\windows\inf\netx500.inf and c:\windows\system32\drivers\pcx500.sys. Just FYI, pcx500mp.sys is for the Aironet 350 Mini-PCI card.

Installing the Windows drivers

Then I boot into Linux, and installed ndiswrapper(1.33), and wpa_supplicant (v0.5.7).

Next, I have to install the drivers. This was easy. First make sure the 2 files are in the same directory, then install the driver.


# install the driver
root $ /sbin/ndiswrapper -i /path/to/netx500.inf

# check the driver is installed
root $ /sbin/ndiswrapper -l
netx500 : driver installed

# insert the pcmcia card, then load ndiswrapper
root $ modprobe ndiswrapper

# check ndiswrapper is loaded
root $ lsmod
Module                  Size  Used by
ndiswrapper           195284  0

root $ dmesg
[...]
ndiswrapper version 1.33 loaded
usbcore: registered new interface driver ndiswrapper

There's a problem. Ndiswrapper is not able to automatically create the PCMCIA configuration. I have to do this by manually. I wrote one using the configuration it has already generated (14B9:0350.5.conf) as a guide.



# save this as /path/to/ndiswrapper/netx500/14B9:929B.8.conf (e.g /etc/ndiswrapper/netx500/14B9\:929B.8.conf)
# the '8' in the filename is because CardBus is device type 8.

NdisVersion|0x50001
Environment|1
class_guid|4d36e972-e325-11ce-bfc1-08002be10318
NetworkAddress|XX:XX:XX:XX:XX:XX
driver_version|,07/01/2001,7.29.0.0
BusType|8

FormFactor|PCMCIA
InfrastructureMode|1
LowerRange|ethernet
MediaDisconnectDamper|10
NodeName|
PowerSaveMode|0
RadioName|PC3500
Service|PCX500
SSID1|
SupportedRates|0
UpperRange|ndis5

Now we have to link the Cardbus PCMCIA slot to this configuration. As Cardbus slots are detected as PCI devices, we can use lspci.

# this is the CardBus device we have to take note of
root $ lspci
[...]
01:0b.0 CardBus bridge: Toshiba America Info Systems ToPIC95 (rev 07)

# Get the manufacturer's device ID (xxxx:xxxx)
root $ lspci -n
[...]
01:0b.0 0607: 1179:060a (rev 07)

# create a symlink for the configuration to this device
# Note the capital letters
root $ cd /directory/of/14B9:929B.8.conf
root $ ln -s 14B9:929B.8.conf 1179\:060A.5.conf
root $ ls -al
1179:060A.5.conf -> 14B9:929B.8.conf
14B9:0340.5.conf
14B9:0350.5.conf
14B9:4800.5.conf
14B9:929B.8.conf
netx500.inf
pcx500.sys

The kernel might already have the opensource driver running. To prevent it from loading these modules (aka drivers) instead, we need to black list them in /etc/modprobe.conf

# blacklist the modules
blacklist airo_cs
blacklist airo

# alias the interface to eth1 (or wlan0 if that's your 
alias eth1 ndiswrapper

So now we have installed and setup ndiswrapper for this PCMCIA card.
Starting the card
Restart the system!!! Okay, there's no need to do that, but I'm lazy...  Besides, I just upgraded a ton of other stuff too... 

root $ modprobe ndiswrapper
root $ lsmod
Using WPA Supplicant
Since I'm using PEAP (yes, I know it's not secure. NUS doesn't care.... It's their newly installed "secure" wireless system.), I have to get wpa_supplicant to work too.
Hmm... I'm getting tired of typing. I'll just plonk my wpa_supplicant configuration here then... 

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
ap_scan=2    # seem to work only if set to 2
eapol_version=2

network={
        disabled=0
        priority=1
        ssid="NUS"
        scan_ssid=1
        key_mgmt=IEEE8021X
        eap=PEAP
        phase2="auth=MSCHAPV2"
        identity="user@nus.edu.sg"
        password="password"
        ca_cert="/path/to/ase1.pem"
}
network={
        disabled=1
        ssid="NUSOPEN"
        scan_ssid=1
        key_mgmt=NONE
        priority=2
}
network={
        disabled=1
        key_mgmt=NONE
        priority=-9999999
}

Okok... I won't leave you in the berth. Here's a howto on NUS PEAP configuration



DNS BIND Hardening
Wow! Found this gem when researching on BIND hardening: Rob Thomas' CYMRU Secure BIND Template.
O'Reilly also published an excerpt of their DNS book (DNS and BIND, by Paul Albitz and Cricket Liu), which detailed more security tips. Yes, this book can be found in the National Library too.
During a security scan, one of my DNS servers was fingerprinted by NESSUS, so I think I will disable all CHAOS queries from now on.... Grrr......


List of *nix commands
Now that I am doing cross platform system administration, it is getting critical to have lists of equivalent commands across the *nixes. Found 2 guides so far:

Unix toolbox: http://cb.vu/unixtoolbox.xhtml
Tom's Hardware Universal Command Guide: http://www.tomshardware.com/ucg/

Will be adding more as the time goes by. 


SSH logins using RSA key-pair authentication
As mentioned previously, I had to mirror a server for testing purposes across two networks through a computer in the middle. The best way I found was to do an rsync over ssh, but this requires a non-password authentication, hence I have to set up a RSA key-pair login.
Server setup
First, the ssh server must allow this authentication method. Make sure /etc/ssh/sshd_config has the following:

Protocol 2            # use ssh protocol 2!!

# Authentication

RSAAuthentication      yes
PubkeyAuthentication   yes
AuthorizedKeysFile      .ssh/authorized_keys
Restart your ssh server. You might want to start another ssh session first, in case there's something wrong and your ssh server can't restart.
Make sure you are the only user able to access ~/.ssh/authorized_keys by changing the permissions to 600.

[user@server] $ chmod 600 ~/.ssh/authorized_keys
Client side
The default location of the RSA key-pair is in ~/.ssh/id_rsa (private key) and ~/.ssh/id_rsa.pub (public key). This is set in /etc/ssh/ssh_config of your client computer, under IdentityFile.
In your own account, generate a RSA key-pair. You do not need a password passphrase. Store the keys in the location indicated in your ssh client configuration.

[user@client] $ ssh-keygen -t rsa
Change the permissions such that only you can read the files.

[user@client] $ chmod 600 ~/.ssh/id_rsa
[user@client] $ chmod 600 ~/.ssh/id_rsa.pub
Append your public key to the ssh server. Of course you can cut and paste, or you can do this:

[user@client] $ cat ~/.ssh/id_rsa.pub | ssh username@ssh.server "cat - >> ~/.ssh/authorized_keys"
Test your setup
If everything works, you should be able to login without typing in any passwords. Hooray!


Using unlink to delete files
Encountered a problem deleting a file with the name "--option=backup" (without the quotes). Don't ask me how it got there, I have no idea. It can't be deleted using rm or renamed using mv.

[user@system /]# rm '--owner=backup'
rm: unrecognized option `--owner=backup'
Try `rm --help' for more information.
[user@system /]# mv '--owner=backup' nothing
mv: unrecognized option `--owner=backup'
Try `mv --help' for more information.

Solution? Shyam Mani suggested unlink '--option=backup'. Apparently, it directly uses the Linux unlink system call to delete files, so does not encounter the same problem as rm

Update 1: Some people suggested alternatives like rm -- '--option=backup', or rm ./--option=backup. Both worked nicely.

Update 2: And yes, Konqueror can delete that file too. Why didn't I think of that?